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Some total languages, like Agda and Coq, allow the use of guarded corecursion to construct infinite 
values and proofs. Guarded corecursion is a form of recursion in which arbitrary recursive calls 
are allowed, as long as they are guarded by a coinductive constructor. Guardedness ensures that 
programs are productive, i.e. that every finite prefix of an infinite value can be computed in finite 
time. However, many productive programs are not guarded, and it can be nontrivial to put them in 
guarded form. 

This paper gives a method for turning a productive program into a guarded program. The method 
amounts to defining a problem-specific language as a data type, writing the program in the problem- 
specific language, and writing a guarded interpreter for this language. 



1 Introduction 

When working with infinite values in a total setting it is common to require that every value is productive 



( [Sijtsma|[19891 ): even though a value is conceptually infinite, it should always be possible to compute 
the next unit of information in finite time. The primitive methods for defining infinite values in the 
proof assistants Agda and Coq are based on guarded corecursion ( [Coquand||1994[ ), which is a conserva- 



tive approximation of productivity for coinductive types. The basic idea of guarded corecursion is that 
"corecursive calls" may only take place under guarding constructors, thus ensuring that the next unit 
of information — the next constructor — can always be computed. For instance, consider the following 
definition of nats^ n, the stream of successive natural numbers greater than or equal to n (_::_ is the cons 
constructor for streams): 

nats^ : N — t- Stream N 
nats^ n = n :: nats^ (sue n) 

This definition is guarded, and has the property that the next natural number can always be computed in 
finite time. As another example, consider bad: 

bad : Stream N 

bad = tail (zero :: bad) 

This "definition" is not guarded (due to the presence of tail), nor is it productive: bad is not well-defined. 
Finally consider the following definition of the stream of natural numbers: 

nats : Stream N 

nats = zero :: map sue nats 

This definition is productive, but unfortunately it is not guarded, because map is not a constructor In 
fact, many productive definitions aie not guarded, and it can be nontrivial to find equivalent guarded 
definitions. 
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The main contribution of this paper is a technique for translating a large class of productive but 
unguarded definitions into guarded definitions. The basic observation of the technique is that many pro- 
ductive definitions would be guarded if some functions were actually constructors. For instance, if map 
were a constructor, then nats would be guarded. The technique then amounts to defining a problem- 
specific language as a data type which includes a constructor for every function like map, implementing 
the productive definitions in a guarded way using this language, and implementing a guarded interpreter 
for the language. Optionally one can also prove that the resulting definitions satisfy their intended defin- 
ing equations, and that these equations have unique solutions. 

The technique relies on the use of data types defined using mixed induction and coinduction (see 
Section [2]), so it requires a programming language with support for such definitions. The examples in 



the paper have been implemented using Agda (Norell 2007; Agda Team 2010), a dependently typed, 
totaQ functional programming language with good support for mixed induction and coinduction. The 



supporting source code is available to download (Danielsson 2010a). 



Before we continue it may be useful to state some things which are not addressed by the paper: 

• The paper's focus is on establishing productivity, not on representing non-productive definitions, 
nor on making non-productive definitions total by restricting their types ( |Bertot||2005| ). 



• No attempt is made to automate the technique: as it stands it provides a manual, somewhat ad hoc 
method for getting productive definitions accepted by a system based on guarded corecursion. 

The rest of the paper is structured as follows: Section |2] discusses induction and coinduction in 
the context of Agda, Sections [3]-[8] (as well as Appendix [A]) introduce the language-based approach to 
productivity through a number of examples. Section |9] discusses related work, and Section [TO] concludes. 



2 Mixed Induction and Coinduction 

This section gives a quick introduction to Agda, in particular to its support for mixed induction and 



coinduction. For more details, see Danielsson and Altenkirch (2010 Section 2) 



In Agda the type of infinite streams can be defined as follows: 

data Stream (A : Set) : Set where 
_::_ : A — t- oo [Stream A) — t- Stream A 

This definition states that Stream A is a Set ("type") with a single (infix) constructor _::_ of type 
A — )• oo (Stream A) — )• Stream A. The inclusion of oo in the type of _::_ makes Stream A coinductive; 
without it the type would be empty. You should read oo [Stream A) as "delayed stream of As" — the 
function oo : Set — Set is analogous to the suspension type constructors which are sometimes used to in- 



troduce non-strictness in strict languages (Wadler et al. 1998), and closely related to the domain-theoretic 



notion of lifting. However, Agda programs are required to be total. 

We can construct infinite values by guarded corecursion. For instance, we can define a function 
which combines two streams in a pointwise manner as follows 

zipWith -.{ABC: Set} — ;> (A — ;> B — )- C) — ^ Stream A — ^ Stream B — > Stream C 
zipWithf (x :: xs) (y:: ys) = fxy/J zipWith f xs) ys) 



' Agda is an experimental system with neither a formalised meta-theory nor a verified type checker, so take words such as 
"total" with a grain of salt. 

^The notation {ABC: Set} ... means that zipWith takes three implicit arguments A, B and C, all of type Set. These 
arguments do not need to be given explicitly if Agda can infer them. 
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This definition uses tlie coinductive delay constructor L (sharpjj^and the force function (flat): 

L: {A: Set} A-^ooA 
^ : {A : Set} -^oo A A 

Agda views zipWith as guarded, because there is no non-constructor function between the left-hand side 
and the corecursive call, and there is at least one use of the guarding coinductive constructor L. This 
constructor has special status: it is treated as a constructor by Agda's productivity checker, but may not 
be used in patterns. Instead one can use the force function: ^ x) reduces to x. 

As another example, consider the following definition of equality — bisimilarity — for streams (which 
makes use of the fact that constructors can be overloaded): 

data {A : Set} : Stream A — Stream A — Set where 

_::_ : (x : A) — 7- {xsys : oo [Stream A)} oo (j' xs ~ ys) x ::xs ~ x ::ys 

This definition states that two streams are equal if their heads are identical and their tails are equal 
(coinductively). Note that the elements of this type are equality proofs. We can establish equalities by 
constructing proofs using guarded corecursion. For instance, we can prove symmetry as follows: 

sym : {A : Set} — t- {xs ys : Stream A} ^ xs ~ ys ^ys ~ xs 
sym (x y.xs^s) = x sym (" xs^s) 

(Note that xs^s is an ordinary variable, albeit perhaps with an unusual name.) 

Let us now consider a definition which uses both induction and coinduction. The type SP A B of 



stream processors (Hancock et al. 2009) — representations of programs taking streams of As to streams 



of Bs — can be defined as follows: 

data SP{AB : Set) : Set where 
put : B ^ oo {SP A B)^SP A B 
get : (A^SPAB) ^ SP A B 

Here put b sp is intended to output b and continue with sp, while get/ is intended to read an element a 
and continue with/ a. You can see the type as the nested fixpoinlj^ vX. jxY. B x X + {A^ Y) — in fact, 
all (non-mutual) data types in the paper can be seen as nested fixpoints of the form vX. jxY. F XY (and 
mutually defined data types can be merged by adding an index). Note that the recursive argument of put 
is delayed (coinductive), whereas the recursive argument of get is not. This means that we can have an 
infinite number of consecutive put constructors, but only a finite number of consecutive gets; definitions 
such as the following one are not guarded and not accepted: 

sink : {AB : Set} ^SPAB 
sink = get (A _ — t- sink) 

The definition of sink is not problematic in and of itself (assuming that it is not evaluated too eagerly). 
However, by ruling out such definitions we make other definitions possible, for instance the following 
one, which gives the semantics of a stream processor: 

■^The prefix operator tt_ is the most tightly binding operator in this paper; ordin ary function application binds tighter, though. 
^Currently this is not quite correct in Agda ( ,Altenkirch and Danielsson 2010 1, but for the purposes of this paper the differ- 
ences are irrelevant. 
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l_j : {AB : Set} ^SPAB^ Stream A Stream B 
Iputbspjas = b:-J d'^ spjas) 
[get/ }{a::as) = lfa}{^as) 

This function is accepted by Agda because it is defined using a lexicographic combination of guarded 
corecursion and structural recursion. In this particular example the first component of the lexicographic 
product is the "guardedness", and the second component is the inductive structure of the stream proces- 
sor: 

• In the first clause the corecursive call is guarded. The stream processor is not structurally smaller, 
due to the use of the force function (^), but this is irrelevant. 

• In the second clause the corecursive call is not guarded, but there is no non-constructor function 
between the left-hand side and the corecursive call, so we say that "guardedness is preserved". On 
the other hand, the stream processor argument is strictly structurally smaller (f x is smaller than 
get / for any x). 

Armed with the knowledge that there can only be a finite number of consecutive get constructors we 
conclude that, when evaluating Isp} as, we must eventually reach the first clause. At this stage we can 
immediately inspect the head element of the output stream, because the second clause does not introduce 
any interfering destructors. 

As a final example, consider //ter, which is not accepted by Agda: 

filter : {A : Set} — )• (A — )• Bool) — )• Stream A — )• Stream A 

filter p (x:: xs) with p x 

filter p {x :: xs) \ true = x::'^ filter p xs) 

filter p {x :: xs) \ false = filter p xs) 

(Here the with construct is used to pattern match onpx.) The first corecursive call is guarded, but in the 
last clause the call is not guarded, and nothing is structurally smaller, so this function is not accepted. 

The explanations above should suffice to understand the definitions in this paper — in fact, most def- 
initions use less complicated recursion principles than the one used by [[_]] . For more information about 
Agda's criterion for accepting a function as total, see |Danielsson and Altenkirch] ( [2010 [ Section 2.5). 

Before we continue note that, in order to reduce clutter, the declarations of implicit arguments have 
been omitted in the remainder of the paper. 



3 Making Programs Guarded 

As noted in the introduction guardedness is sometimes an inconvenient restriction: there are productive 
programs which are not syntactically guarded. This section introduces a language-based technique for 
putting definitions in guarded form. 

Consider the following definition of the stream of Fibonacci numbers: 

fib : Stream N 

fib = O-.-J zipWith fib {I:: ^fib) 

While the definition of fib is productive, it is not guarded, because the function zipWith is not a construc- 
tor. If zipWith were a constructor the definition would be guarded, though, and this presents a way out: 
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we can define a problem-specific language which includes zipWith as a constructor, and then define an 
interpreter for the language by using guarded corecursion. 

A simple language of stream programs can be defined as follows]^ 

data Streamp : Set — > Seti where 

_::_ : A — 7- oo [Stream^ A) — t- Stream^ A 

zipWith : (A — ;> B — ;> C) — ;> Stream? A — ;> Stream? B — )• Stream? C 

Note that the stream program argument of _::_ is coinductive, while the arguments of zipWith are induc- 
tive; a stream program consisting of an infinitely deep application of zipWiths would not be productive. 

Stream programs will be turned into streams in two steps. First a kind of weak head normal form 
(WHNF) for stream programs is computed recursively, and then the resulting stream is computed core- 
cursively. The WHNFs are defined in the following way: 

data Streamw '■ Set — )- Seti where 

: A — )• Stream? A — )• Streamy;^ A 

Note that the stream argument to is a ("suspended") program, not a WHNF. The function whnf 
which computes WHNFs can be defined by structural recursion: 

whnf : Stream? A — )• Streamy;^ A 
whnf {x : : xs) = x xs 

whnf {z\pW\t\r\f xs ys) = zipWith^^f [whnf xs) {whnf ys) 

Here zipWith^ is defined by simple case analysis: 

zipWith^f^ : (A — 7- B — )• C) — )• Streamy^ A — )• Streamy^ B — J- Streamyf^ C 
zipWithyff (x :: xs) {y ::ys) = f xy :: z\p\N\thf xs ys 

WHNFs can then be turned into streams corecursively: 

mutual 

: Streamy^ A — ?• Stream A 
lx::xs}^ = x:-J {xsj^ 

I-}? : Stream? A ^ Stream A 
Ixsj? = Iwhnfxs}^ 

Note that this definition is guarded. (Agda accepts definitions like this one even though it is split up over 
two mutually defined functions; alternatively one could write [[ x : : xs ]] ^ — x : : " [[ whnf xs ]] ^ and define 
[[_]]p separately.) 

Given the language above we can now define the stream of Fibonacci numbers using guarded core- 
cursion: 

fibp : Stream? N fib : Stream N 

fibp = 0:-J zipWith -+-fibp (1 :: ^fib?) fib = Ifibp }p 



^Seti is a type of large types; oo has type Seti Seti for any 
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One can prove that this definition satisfies the original equation for fib by first proving corecursively 
that |{_]]p is homomorphic with respect to zipWith/z\p\N'\th: 

zipWith-hom : (/ : A — )• B — )• C) — t- (x5 : Stream A) — )• (ys : Stream B) — )■ 

[zipWith/^^3;^lp « zipWithflxsjplysjp 
fib-correct : fib « zipWith _+_ fib {\ '^fib) 



For the omitted proofs, see Danielsson (2010a ). One may also want to establish that the original equation 
for fib defines the stream completely, i.e. that it has a unique solution. For an explanation of how this can 
be done, see Section [5] 

It can be instructive to see what would happen if we tried to use the method above to implement the 
ill-defined stream bad from the introduction. Defining the language and giving a "definition" for bad is 
straightforward: 

data Stream^- (A : Set) : Set where ; . o im 

' bad : Stream^ M 

A ^ oo I Streamp A) ^ Streamp A «, a 

^ ., „^ - A bad = ta\\ (zero :: ^ bad) 

tail : Streamp A ^ Streamp A ^ ' 

However, turning stream programs into streams becomes tricky. How would fa/Zw be defined? 

data Stream-^ (A : Set) : Set where tailw '■ Streamy^ A — )■ Streamy^ A 

: A — t- Streamp A — t- Streamy^ A tailw {x xs) = ? 

Note that, in the body of tailw, xs is a stream program, but we need to produce a WHNF 



4 Several Types at Once 

The technique introduced in Section[3]is not limited to streams. In fact, it can be used with several types 
at the same time. To illustrate how this can be done I will implement circular breadth-first labelling of 



trees a la Jones and Gibbons ( 1993 1. 



The following type of potentially infinite binary trees will be used: 

data Tree (A : Set) : Set where 
leaf : Tree A 

node : o° {Tree A) — A — > oo {Tree A) — > Tree A 

Jones and Gibbons' implementation can be described as follows. First a labelling function lab is defined. 
This function takes a tree, along with a stream of streams of new labels. The labels in a prefix of the ?i-th 
stream are used to label the n-th level of the tree, and the remaining labels are returned from lab: 

lab : Tree A — t- Stream {Stream B) — t- Tree B x Stream {Stream B) 
lab leaf bss = (leaf, bss) 

lab {node I _r){{b::bs)::bss) = {node {U') b {h'),^ bs yJ bss") 
where 

{r,bss') = lab {^l) ("bss) 
{r',bss") = lab {^ r) bss' 
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This code is not accepted by Agda, because the recursive calls are not guarded (their results are destruc- 
ted, and furthermore lab, which is not a constructor, is applied to a part of one of the results)]^ The next 
step in Jones and Gibbons' implementation is to construct the stream of streams of labels which is used 
by lab, and use these streams to compute the relabelled tree. This is done using a circular construction: 

label : Tree A — t- Stream B — t- Tree B 
label t bs = t' 

where {t' ,bss) = lab t {bs -.-.'^ bss) 

This code is not accepted by Agda, because lab is not a constructor, and furthermore the result of lab is 
destructed. 

To implement breadth-first labelling in the style of Jones and Gibbons the following universe of trees, 
streams, products and arbitrary (small) types will be used: 

data U : Set\ where El : U ^ Set 



tree 
stream 



U^U El (tree a) = Tree {El a) 

U^U £■/ (stream a) = Stream {El a) 

U^U^U El{a®b) = El ax El b 

Set-^U El\A] =A 



The type U defines codes for elements of the universe, and El interprets these codes. 

By indexing the program and WHNF types by codes from the universe U we can work with several 
types at once: 



mutual 

data Elp : U ^ Seti where 
\. : £/w fl' — ^ Elp a 
fst : Elp {a® b) ^ Elp a 
snd : Elp {a^ b) ^ Elp b 

lab : TreeA Elp (stream \ StreamB^^) Elp (tree [B] (g) stream \ StreamB^^) 

data SZw : U ^ Seti where 
leaf : Hw (tree a) 

node : °° {Elp (tree a)) — > Hw a {Elp (tree a)) — )• Hw (tree a) 
_::_ : Hw a {Elp (stream a)) — )• Hw (stream a) 

_ : El^f/ a —7- Ely^ b — t- El^f/ {a b) 
r_l -.A^El^lA] 

Note that only those constructor arguments which are delayed are represented as programs in the defini- 
tion of S/w — the other arguments can be viewed as "strict". Note also that, unlike in Section [3j the two 
types are defined mutually: the WHNF type is included in the type of programs using the constructor |. 
This makes the program type less usable (the term ^stp :: xs is not well-typed, for instance), but avoids 
some code duplication. An alternative would be to merge the definitions of Elp and £'/w^ and use an 
additional index to specify which programs are in weak head normal form. 

The type of lab may seem a bit strange: the inner and outer streams are represented differently. One 
reason for this design choice can be seen in the definition of lab^: 



'Agda does not support pattern matching in where clauses as used here, but one can use projection functions instead. 
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laby^ : Tree A — Hw (stream [ Stream B ] ) — )• Hw (tree [ B ] (SD stream [ Stream B~\) 
labw leaf bss = (leaf, bss) 

labw {nodel _r) {\b::bs] bss) = (node (* fstx) \ b] {Usty),\^bs] ::hndy) 
where 

X = \ab{h) i^bss) 
y = lab(^r) (snd x) 

Consider the second clause. If laby^ had the type 

Tree A — )• Elw (stream (stream b)) — )• Elw (tree b (g) stream (stream b)), 

then the analogue of bs would be a program, but the head of the resulting stream of streams ( [ ] in 
the definition above) must be a WHNF. The use of "raw" inner streams also means that the input to the 
label function does not need to be converted. 

Note that Za^w is non-recursive. The remainder of whnf is straightforward to implement using struc- 
tural recursion: 

r ^ 177 / ^ ; \ > whnf : Elp a — )• Hw a 

fst^ : Hw {a(S>b)-^ El^ a , . . , ^ 

fst^{x,y)=x whnfilw) = w 

^ ' , . „, , whnf{htp) = fst^ {whnf p) 

snd^ : Ely, {a ^b)^ Ely, b whnfisndp) = sndw {whnf p) 

sndw {x,y) - y ^j^^j- (^^^^^ ^^^^ ^ ^^^^ ^ f^^j^^j- j^^^^ 

It is also easy to define [[-J^ and [[-Jp. These definitions use a lexicographic combination of guarded 
corecursion and structural recursion (see Section [2]): 

mutual 

l-j^ : Ely, a ^ El a 
I leaf 1^ = leaf 

[node/xrU = node (« [ ^ / y [x ^ (« [ ^Ip) 
Ixy.xsU = ::«[^x.lp 
Ux,y)}y, = (I^lw-Ivlw) 

ir^iiw =^ 

[Jp : Elp a^Ela 
Ip\v = Iwhnfpjy^ 

Finally we can define label: 

label' : Tree A — > Stream B — )• Hp (tree [ S ] (gi strea m [ Stream B ] ) 
label' tbs = lab f (;([&.?] ::*snd {label' t bs))) 

label : Tree A — J- Stream B — )• Tree B 
label tbs = I fst {label' t bs) jp 

Note that the helper function label', which corresponds to the cyclic part of the original label, is defined 
using guarded corecursion. 

I have proved that the definition of label is correct: the resulting tree has the same shape as the 
original one, and a breadth-first traversal of the resulting tree produces a potentially infinite list of labels 
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which is a prefix of the stream given to label. To state correctness I extended the universe with support 
for potentially infinite lists, and added some programs to the Elp type. For details of the statement and 



proof, see Danielsson (2010a). 



5 Making Proofs Guarded 

The language-based approach to guardedness introduced in Section [3] has some problems when applied 
to programs: 

• The interpretive overhead, compared to a direct implementation, can be substantial. For instance, 
computing the ?i-th element of the stream fib defined in Section [3] requires a number of additions 
which is exponential in n, whereas if fib = :: ' zipWith fib [Iw "^fib) is implemented directly 
in a language which uses call-by-need this computation only requires additions. The reason 
for this discrepancy is that the interpreter [[_]]p does not preserve sharing. One could perhaps work 
around this problem by writing a more complicated interpreter, but this seems counterproductive: 
why spend effort writing a new interpreter when one is already provided by the host programming 
language (or the underlying hardware)? 

• Proving properties about the interpreted definitions (for instance to establish that they aie correct) 
can be awkward, because this amounts to proving properties about the interpreter. 

However, these problems are usually irrelevant for proofs: the run-time complexity of proofs is rarely 
important, and any proof of a property is usually as good as any other. Hence the approach is likely to be 
more useful for making proofs guarded, than for making programs guarded. 



This section shows how the technique can be applied to proofs. Hinze (20081 advocates proving 



stream identities using a uniqueness property. One example in his paper is the iterate fusion law: 

fusion : {h : A ^ B) ^ (fi : A ^ A) ^ (f2 : B ^ B) ^ 
{{x : A) ^ h (fi x) =f2{hx))^ 
(x : A) — 7- map h (iterate fi x) ~ iterate f2 (h x) 



Here map and iterate are defined as follows: 



map : (A — ^ B) 
mapf (x ::xs) 



Stream A — t- Stream B 
f x::'^ mapf xs) 



iterate : (A 
iterate f X = 



A) — ;> A — )- Stream A 
x::^ iterate f (f x) 



Hinze proves the iterate fusion law by establishing that the left and right hand sides both satisfy the 
same guarded equation,/ x ^ h x :: f (fi x) (where/ is the "unknown variable"): 

map h {iterate fi x) w( by definition ) 

/i X :: ^ map h {iterate fi (fi x)) 



hx iterate f2 {h (fi x)) w( assumption ) 
/i X :: S iterate f2 (f2 {h x)) ?»( by definition ) 
iterate f2 {h x) 

The separately provecj^fact that the equation has a unique solution then implies that map h {iterate fi x) 
and iterate f2 {h x) are equal. 



^Hinze proves this using a metliod described by 
see Section[9[ 



Rutten 



(2003 1, which in fact is closely related to the method described here, 
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Note that the proof above is almost a proof by guarded coinduction: the two equational reasoning 
blocks can be joined by an application of the coinductive hypothesis. However, the second block uses 
transitivity, thus destroying guardedness. We can work around this problem by following the approach 
introduced in Section[3| Let us define a language of equality proof "programs" as follows: 

data _Rip_ : Stream A — )• Stream A — Set where 

: {x : A) ^ oo xs ~p ys) x xs ~p x :: ys 
: {xs : Stream A) xs f«p ys^ys zs ^ xs zs 
_□ : {xs : Stream A) xs ~p xs 

The last two constructors represent transitivity and reflexivity, respectively. Note that the transitivity con- 



structor is inductive; a coinductive transitivity constructor would make the relation trivial (see Danielsson 



and Altenkirch (2010)). The somewhat odd names were chosen to make the proof of the iterate fusion 



law more readable, following Norell ( 2007j ). Just remember that and are both weakly binding. 



with right associative and binding weaker than _□: 

fusion : {h : A B) (fi : A A) (f2 : B B) 
{{x:A)^h(f:x) =f2{hx))^ 
(jt : A) — 7- map h (iterate fi x) ~p iterate f2 {h x) 
fusion hf\ f2 hyp x = 

map h {iterate f\ x) ~( by definition ) 

hx::^ map h {iterate fi (fix)) ~( /j x :: ^fusion /j/i/2 hyp (f[ x] 
' ^ iterate f 2 {h (fi x)) ~( /j x :: ^ iterate -congf 2 {hyp x) 



h X : 
h X : 



iterate f 2 {[2 {h x)) ^{ by definition ] 



iterate f2 {hx) □ 



Note that the definition of fusion is guarded. The definition uses some simple lemmas {iterate-cong, by 
and definition), which are omitted here. 

In order to finish the proof of the iterate fusion law we have to show that _?ap_ is sound with respect 
to To do this one can first define a type of WHNFs: 

data _~w- : Stream A — ^ Stream A — ^ Set where 
_::_ : {x : A) xs ~p ys ^ x :: xs ~w x ::ys 

It is easy to establish, by simple case analysis, that this relation is a preorder: 

refly^ : {xs : Stream A) xs ~w xs 
trans^ : xs «w y^ — ^ y^ ~w zs — )■ xs zs 

It follows by structural recursion that programs can be turned into WHNFs: 

whnf : xs ~p ys — t- xs ~w ys 

whnf {x : : xs^s) = x::'" xs^s 

whnf {xs xsKiys ) ys^zs) = transw {whnf xs^s) {whnf ys^zs) 
whnf {xs □) = refly^xs 



Finally soundness can be proved using guarded corecursion: 
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mutual 

soundw : xs «w ys ^ xs ~ ys 
soundw y.xs^s) = x::'^ sounds xs^s 
sounds : xs f«p ys ^ xs ^ ys 
soundp xs^s = soundw {whnf xs^s) 

Note that there is no need to prove that the appUcation sounds (fusion hfifj hyp x) satisfies its intended 
defining equation, whatever that would be, or that this equation has a unique solution. 

Using the language-based approach to guardedness I have formalised a number of examples from 



Hinze's paper, see Danielsson (2010a). Rephrasing the proofs using guarded coinduction turned out to 
be unproblematic. 

As a further example, let us show that the defining equation for fib (see Section [3]) has a unique 
solution. We can state the problem as follows: 

fib-rhs : Stream N — )• Stream N 

fib-rhs ns = :: zipWith _+_ ns (l ns) 

fib-unique : (ms ns : Stream N) — J- ~ fib-rhs ms ^ ns ~ fib-rhs ns — )• ms Wp ns 

The type _Rip_ used here is different from the one used above: the proof will make use of the congruence 
of zipWith, and the coinductive hypothesis will be an argument to this congruence, so a constructor for 
the congruence is included among the equality proof programs: 

data _?sp_ : Stream A — )■ Stream A — Set where 

zipWith-cong : (/ : A — A — A) — s-x^i ~p j^'i -^xs2 ~p ys2 — )• 
zipWith f xs I XS2 ~p zipWith f ys I ys2 

It is easy to extend the definition of whnf to support zipWith-cong, using which we can define fib-unique 
as follows: 

fib-unique ms ns hyp^ hyp2 = 
ms ^{completep hypi) 

fib-rhs ms ~( :: zipWith-cong _+_ (fib-unique ms ns hyp^ hyp2) 

(1 :: ^fib-unique ms ns hypi hyp2) ) 

fib-rhs ns ~( complete ^ (sym hyp2) ) 
ns □ 

Here sym is the proof of symmetry of from Section [2j and complete^ shows that _ssp_ is complete 
with respect to _Ri_: 

complete^ '. xs ~ ys ^ xs «p ys 

complete f [x wxs^s) = x complete^ xs^ys) 



6 Destructors 



The following, alternative definition of the Fibonacci sequence is not directly supported by the framework 
outlined in previous sections: 
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fib : Stream N 

fib = yJ {I :-J zipWith _+_ fib {tail fib)) 

The problem is the use of the destructor tail. Unrestricted use of destructors can lead to non-productive 
"definitions", as demonstrated by bad (see Section [1]). However, destructors can be incorporated by 
extending the program type with an index which indicates when they can be used. 
Consider the following type of stream programs: 

data Streamp : Bool — > Set — )- Seti where 

°° (Streamp true A) — )• Streamp false A 
A —7- Streamp false A —t- Streamp true A 
tail : Streamp true A — t- Streamp false A 
forget : Streamp true A ^ Streamp fa\se A 
zipWith : (A — > B — > C) — ;> Streamp bA^ Streamp b B^ Streamp b C 

The type Streamp b A stands for streams generated in chunks of size (at least) one, where the first chunk 
is guaranteed to be non-empty if the index b is true. The constructor [_] marks the end of a chunk. 
Note how the indices ensure that a finished chunk is always non-empty, and that tail may only be used to 
inspect the chunk currently being constructed. The constructor forget is used to "forget" that a chunk is 
already finished; forget represents the identity function. This constructor is used in the implementation 
offibp (an alternative would be to give zipWith a more general type): 

fibp : Streamp true N 

fibp = :: [« (1 :: zipWith _+_ (hrgetfibp) (taWfibp))] 

The implementation of [[_]]p for this language is very similar to that for the language in Section [vj so 
it is omitted here. For details of this implementation, the proof of correctness offibp, and the proof of 



uniqueness of solutions of the defining equation for fibp, see |Danielsson| ( |2010a| ). 

7 Other Chunk Sizes 



The language of the previous section can be generalised to support other chunk sizes (jDanielsson|2010a]). 



Larger chunk sizes can provide interesting situations. Consider the following alternative definition of the 
function map from Section [5| 

map2 : (A — t- B) — t- Stream A — t- Stream B 
map2 f (x:: xs) with " xs 

map2f {x::xs) \ ywys = f x yJ (f y/J map2 f ys)) 

One can show that map and map2 are extensionally equal: 

mapKmap2 : (/ : A — )• B) — )• (jti : Stream A) -^mapfxs ~ map2f xs 

However, assuming that pattern matching is "strict", they are not interchangeable. The following defini- 
tion of the stream of natural numbers is productive, albeit not guarded: 



nats : Stream N 

nats = :: 1^ map sue nats 
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The definition that we get by replacing map by map2, on the other hand, is not productive: 



natS2 : Stream N 

natS2 = :: " map2 sue natS2 



The first element of natS2 is 0, but map2 needs to access the first two elements of its argument stream in 
order to output anything. 

We can perhaps get a better picture of the situation above using the following language: 

data Streamp {m : N) : N ^ Set ^ Set\ where 
[_] : °° {Stream^ mmA)^ Stream^ mQA 
_::_ : A — 7- Stream^ mnA ^ Stream^ m (sue n) A 
map : (A — )■ B) — )• Streamp mnA^ Streamp mnB 

Streamp mn A is a language of programs which generate streams of As in chunks of size m, where the 
first chunk has size n. We can define WHNFs and the whnf function as follows: 

data Streamw {m : N) : N ^ Set ^ Seti where 
[ _] : Streamp mmA^ Stream^ mOA 
_::_ : A — > Streamy./ mnA—^ Streamy^/ m (sue n) A 

mapyf : (A — > B) — > Streamy^ mnA—^ Streamy^/ mnB 
mapyff[xs] = [map/;c5] 
mapy^f{x::xs) = f x mapyf f xs 

whnf : Streamp (sue m) nA^ Streamy/ (sue m)nA 
whnf [xs] = xs\ 

whnf {x :: xs) = x:: whnf xs 
whnf (map/xj) = mapy/f {whnf xs) 

Stream programs where all chunks are non-empty can then be turned into streams using guarded core- 
cursion: 



{xw iywxs)}^ = x:-Jly::xs}^ 

[[-Jp : Streamp (sue m) (sue n) A — > Stream A 
lxs% = Iwhnf xs}y^ 

Using this language we cannot define natS2. The following code is ill-typed: 

natS2 : Streamp 2 1 N 

natS2 = 0:: map sue natS2] 

On the other hand, the following definitions are accepted: 

nats : Streamp 1 1 N nats'2 : Streamp 2 2 N 

nats = 0:: ['^ map sue nats] nat^2 — 0:: 1 :: [" map sue na?*^ 
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The language above uses constant chunk sizes (with the possible exception of the first chunk). If 
more flexibility is needed, then one can index programs by chunk sizes: 



data Chunks : Set where 
next : Chunks — t- Chunks 
cons : oo Chunks — )• Chunks 



data Streamp : Chunks — Set — Seti where 
[_] : oo [Streamp csA) — ?• Streamp (next as) A 
_::_ : A — ?• Streamp (^ cs) A — J- Streamp (cons cs) A 



Here Chunks represents the chunk sizes used in the production of a stream: next stands for the start 
of a new chunk, and cons increases the size of the current chunk by one. Note that next is inductive and 
cons coinductive; this ensures that there are no infinite sequences of empty chunks. 



EndruUis et al. (2010) point out that some approaches to productivity based on restricted forms of 

cannot handle the following definition 



moduli of production — which are closely related to chunk sizes 
of the Thue-Morse sequence: 



thue-morse : Stream Bool 

thue-morse = false :: (map not (evens thue-morse) T tail thue-morse) 



Here evens xs consists of every other element of xs, starting with the first, and _T_ interleaves two 
streams: (x :: xs) T ys = x ^ [ys T xs). This definition of thue-morse can be handled using programs 



indexed by Chunks; see Danielsson (2010a) for details. 



8 Nested Applications 

Before wrapping up, let us briefly consider nested applications of the function being defined, as in 
(f) (x :: xs) = X :: (p {(p xs) . Definitions with nested applications are common when programs are 
written using continuation-passing style. To handle such applications one can include a constructor for 
the function in the type of programs: 

data Streamp (A : Set) : Set where <?>w : Stream-^ A — )- Stream-^ A 

_::_ : A — ^ oo {Streamp A) — ^ Streamp A <pw {x::xs) = x :: (pp (<pp xs) 

<Pp : Streamp A Streamp A ^hnf : Streamp A Streamy^ A 

data Streamyq (A : Set) : Set where whnf {xwxs) = x::^ xs 

_::_ : A — )• Streamp A — ;> Stream-^ A whnf {(pp xs) = (pw {whnf xs) 

(The definition of [[_]]p is omitted above.) By turning streams into programs one can then define cp: 

[_] : Stream A ^ Streamp A (p : Stream A ^ Stream A 

\ x::xs~\ = x:-J \^ xs~\ q) xs = lq)p \ xs]jp 

In order to prove that (p satisfies its intended defining equation it can be helpful to use an equality proof 
language, as in Section [5} and to include a constructor for the congruence of (pp in this language: 

data _Rip_ : Stream A — )• Stream A — ^ Set where 

<pp-cong : {xsys : Streamp A) ^ {xsjp ^p lysjp^l(ppxsjp «p |I(?)p3'i'lp 
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For further details, see |Danielsson| ( [20 1 Oa[ ), who also establishes that <p's defining equation has a unique 
solution. 



9 Related Work 



This section is mainly concerned with discussing methods for establishing productivity in systems based 
on guarded corecursion. Other related work is discussed towards the end. 



Rutten (2003 ) proves that certain operations on streams are well-defined by using a technique which 



is very similar to the one described in this paper. He defines a language E of real number stream expres- 
sions inductively (this language is similar to Stream^ M), and defines a stream coalgebra c :£■—)• M x £ 
by recursion over the structure of E (this corresponds to whnf). The type of streams is a final coalgebra, 
so from c one obtains a function of type E — > Stream R (corresponding to [-Jp), which can be used to turn 
stream expressions into actual streams. Rutten then uses coinduction (expressed using bisimulations) to 
prove that the defined operations satisfy their intended defining equations, and that these equations have 
unique solutions. 

There are some differences between Rutten's proof and the technique described here, other than the 
different settings (finality vs. guarded corecursion, bisimulations vs. guarded coinduction). One is that 
Rutten defines the variant oifib from Section [6] via two mutually recursive streams (fib = :: fib' and 
fib' = \ w'^ zipWith _+_ fib fib'); he does not discuss anything resembhng the counting approaches of 
Sections [6] and [7] Another difference is that Rutten's language E is inductive, whereas Stream^ uses 
mixed induction and coinduction. A simple consequence of this difference is that when Rutten defines 
fib he includes it as a term in E; with the method described here one can get much further using a fixed 



language. Danielsson and Altenkirch (2010) also take advantage of this difference when proving that 



one subtyping relation is sound with respect to another. In this proof the program and WHNF types 
are defined mutually, using mixed induction and coinduction, and the whnf function constructs its result 
using a combination of structural recursion and guarded corecursion. For completeness a short variant 
of this development is included in Appendix [A] 



Rutten's proof is closely related to a technique due to |Bartels] ( [2003[ ). Bartels formulates the technique 
in a general categorical setting, and restricts the form of whnf, and in return proofs showing that the 
definitions uniquely satisfy certain defining equations come for free. Furthermore Bartels manages to 
define without including it as a term in the language. 



Niqui (2009 2010) implements one of Bartels' corecursion schemes, A-coiteration, in Coq. He states 



that this scheme cannot handle van de Snepscheut's corecursive definition of the Hamming numbers 



(Dijkstra 1981), which can easily be handled using the method described in this paper. 



Matthews (1999) and Di Gianantonio and Miculan (2003 ) describe general frameworks for defin- 



ing values using a mixture of recursion and corecursion, based on functions which satisfy notions of 
contractivity. The methods seem to be quite general, and have been implemented (in Isabelle and Coq, 
respectively; note that guarded corecursion is not a primitive feature of Isabelle). 



The implementations mentioned above (Matthews 1999; Di Gianantonio and Miculan 2003 Niqui 



2009 , 2010 ) provide you with unique solutions to equations, whereas when using the method described in 



this paper you need to prove correctness and uniqueness manually if you are interested in these properties. 
On the other hand, as pointed out in Section [5j there is rarely any need to pay this price when defining a 
proof. I suspect that circumstances determine which method is cheapest to use. 



Bertot (2005 ) implements a filter function for streams in Coq. An unrestricted filter function is not 



productive, so Bertot restricts the function's inputs using predicates of the form "always (eventually 
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Py\ The always part is defined coinductively, and the eventually part inductively. As mentioned in the 
introduction this work is orthogonal to the work presented here. 

Conor McBride (personal communication) has developed a technique for establishing productivity, 



based on the work of Hancock and Setzer (2000 1. The idea is to represent the right-hand sides of function 



definitions using a type RHS g, where g indicates whether the context is guarding or not, and to only allow 
corecursive calls in a guarding context. 



Capretta (2005 1 defines the partiality monad, which can be used to represent partial (potentially non- 



terminating) computations, roughly as follows: 

data J' {A : Set) : Set where 
return : A — > A ^ 
step :oo(A^)^A^ 



The constructor return returns a result, and step postpones a computation. It is easy to define bind for 
this monad: ^>=_ : A ^ — )• (A — )■ B ^) — )■ B ^. Unfortunately it can be inconvenient to use this definition 
of bind in systems based on guarded corecursion, because _»=_ is not a constructor. |Megacz| ( [2007] ) 
suggests (more or less) the following alternative definition: 



data J' (A : Set) : Seti where 
return : A — ;> A ^ 

^>=_ : oo{B'')^{B^oo{A ^)) 



■A" 



One can note that this is very close to the first step of the technique presented in this paper. Megacz does 
not translate from the second to the first type, though. 



Bertot and Komendantskaya (2009 ) describe a method for replacing corecursion with recursion. They 
map values of type Stream A to and from the isomorphic type N — )• A, and values of this type can be 
defined recursively. The authors state that the method is still very limited and that, as presented, it cannot 
handle van de Snepscheut's definition of the Hamming numbers. 



McBride (2009 1 defines an applicative functor which captures the notion of "be[ing] ready a wee bit 



later". Using this structure he defines various corecursive programs, including the circular breadth-first 
labelling function which is defined in Section [4] The technique is presented using the partial language 
Haskell, but Robert Atkey (personal communication) has later implemented it in Agda. The technique 
has not been developed very far yet: as far as I am aware no one has tried to prove any properties about 
functions defined using it. 

Instead of working around the limitations of guarded corecursion one can include language features 



which make it easier to explain why programs are productive. One such feature is sized types (Hughes 



et al. 1996 Barthe et al. 2004; Abel 2009), and the A-calcuU of Buchholz (2005 ) provide other examples. 



Another approach is to use cleverer algorithms for establishing productivity. EndruUis et al. (2010 



|2008) present algorithms which handle the definition of thue-morse from Section [7] automatically (except 
that, as presented, they only support first-order term-rewriting systems). The algorithms are tailored to 
streams; it seems to be hard to adapt them to, say, coinductive trees. Another algorithm is presented by 



Telford and Turner| ( |1997] ). This algorithm does not handle thue-morse ( [EndruUis et al.||2()T0] ), but has 
the advantage of working for a large class of coinductive data types. 



Morris et al. (2006) use the technique of replacing functions with constructors to show termination 
rather than productivity (see [Morris et al.[ ([2007]) for an explanation of the technique). They replace 



a partially applied recursive call (which is not necessarily structural, because it could later be applied 
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to anything), nested inside another recursive call, with a constructor application. If this constructor 
application is later encountered it is handled using structural recursion. 

The technique presented here also shares some traits with Rey nolds] defunctionalisation ( [1972] ). De- 
functionalisation is used to translate programs written in higher-order languages to first-order languages, 
and it basically amounts to representing function spaces using application-specific data types, and im- 
plementing interpreters for these data types. 



10 Conclusions 



I hope to have shown, through a number of examples, that the language-based approach to establishing 
productivity is useful. I am currently turning to it whenever I have a problem with guardedness; see 



Danielsson and Altenkirch (2010) and Danielsson (2010b) for some examples not included in this paper. 



However, there are some problems with the method. As discussed in Section[5]it is not very useful if 
efficiency is a concern. Furthermore it can be disruptive: if one decides to use the method after already 
having developed a large number of functions in some project, and many of these functions have to 
be reified as constructors in a program data type, then a lot of work may be necessary. In fact, this 
problem — in one shape or another — is likely to apply to all approaches to making definitions guarded. 
In the long term I believe that it would be useful to adopt a more modular approach to productivity than 
guardedness. 
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A An Inductive Approximation of Stream Equality 



Danielsson and Altenkirch (2010) prove that one subtyping relation is sound with respect to another 



using the technique described in this paper. This appendix outlines the proof, but in a simplified (and 
slightly different) setting: equality between streams. 

Recall the definitions of Stream and stream equality, from Section|2] One can define a sound ap- 



proximation of stream equality inductively as follows (using an idea due to [Brandt and Henglein (1998)) 



data [H : List {Stream A x Stream A)) : Stream A — )• Stream A — Set where 

(x : A) —7- (x :: xs,x :: ys) :: H \- ^ xs ^ ^ ys — )• H \- x xs ^ x ys 
{xs,ys) G // —7- H \- xs ^ ys 
H \- xs ^ ys — )• H \- ys zs — t- H \- xs ^ zs 



hyp 
trans 



The intention is that, if one can prove H ^ xs ys, and all the assumptions in the list H are valid, then 
xs and ys should be equal. The first constructor of states that, in order to prove that x:: xs and 

X ::ys are equal, it suffices to show that xs and ^ ys are equal, given the extra assumption that x ■.: xs 
and x::ys w& equal. The second constructor makes it possible to use the hypotheses in the list H (_G_ 
encodes list membership), and the third constructor encodes transitivity. As an example, we can prove 
that the list repeat x ^ x::'^ repeat x is equal to itself as follows: 
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repeat-refl : (x : A) — t- [] h repeat x ~ repeat x 
repeat-refl X = x:: hyp here 

(The constructor here proves that the head of a Ust is a member of the Ust. In this case it is used at the 
type {repeat X, repeat x) G [repeat x, repeat x) :: [].) 

Soundness of will now be established. The goal is to prove that H \- xs ^ ys implies 

xs « ys, given that All {Valid -~-) H, where All P xs means that P holds for all elements in the list xs, 
and Valid is uncurry for stream predicates: 

data A// (P : A Set) : List A Set where 
[] -AllPW 

: P x ^ All P xs ^ All P {x -.-.xs) 

Valid : {Stream A — t- Stream A — )• Set) — t- Stream A x Stream A — t- S'ef 
Valid -R- {xs,ys) = xsRys 

We begin by defining the program and WHNF types mutually as follows: 

mutual 

data _?»p_ : Stream A — Stream A — Set where 

sound : All {Valid _^y^_) H — )• H \- xs ^ ys — )• xs wp ys 
trans : xi' ssp ys — )• ssp — ). xs ssp ^s 

data _~w- : Stream A — )• Stream A — )• ^ef where 

_::_ : (x : A) — )• 00 ~p ^ ys) — )• x :: xs ~w x::ys 

Note that the first argument of the program sound refers to WHNFs. The function transy^, whose type is 
xs ww ys — )• ys ~w zs — > xs zs, can be defined using simple case analysis. The function soundw 
is defined as follows, using structural recursion: 

sounds : All {Valid H — )• H ^ xs ^ ys — )• xs ~w 

soundw valid (hyp h) = lookup valid h 

soundw valid {trans xs^s ys^zs) = transw {soundw valid xs^s) {soundw valid ys^zs) 
soundw valid (x : : xs^s) = proof 

where proof = x :: ^ sound {proof :: valid) xs^s 

In the first clause lookup : All P xs ^ x G xs ^ P x is used to fetch a proof from the "list" of valid 
assumptions. In the third clause a circular proof is constructed using guarded corecursion; note that the 
list of valid assumptions is extended with the proof currently being defined. Given transw and soundw 
it is easy to define whnf using structural recursion: 

whnf : xs ~p ys — )• xs ~w ys 

whnf (sound valid xs^ys) = soundw valid xs^s 

whnf {trans xs^s ys^zs) = transw {whnf xs^s) {whnf ys^zs) 



The remaining pieces of the soundness proof are omitted (see lDanielsson| ([20 1 Oa|)) 
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